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What is your idea? 


Describe it: (1996 characters) 
Content limited to 2000 characters 
In as few sentences as possible, please describe your idea. 


The Open Medical Record System (OpenMRS) is an open source health information technology 
system. It is the most used medical record system platform in developing countries. Created in 
2004, OpenMRS helps health care providers around the world, including South Africa, Kenya, 
Rwanda, Lesotho, Zimbabwe, Mozambique, Uganda, Tanzania, Haiti, India, China, United 
States, Pakistan, the Philippines, and many other places. 


We aim to ensure that OpenMRS meets the highest standards for security and privacy - topics 
especially important for personal health information, which constitute a particularly sensitive 
type of data. Strengthening security and privacy in OpenMRS is critical, given the ubiquitous 
use of this platform. Especially because of the disparate nature of privacy and security in the 
countries that have implemented our system. With an appropriate data protection overhaul, we 
can help guarantee that everyone who uses OpenMRS, can increase safety of patients, 
communities and health care providers. 


Our plan includes the evaluate, review and development of mitigation plans of previously 
identified security vulnerabilities and privacy concerns. In addition, we will review the European 
Union data protection regulation (GDPR) and Health Insurance Portability and Accountability 
Act (HIPAA) and develop plans for OpenMRS to be fully compliant with these laws. Our final 
goal is to assess potential to increase privacy and security of information by using appropriate 
tooling and creating universal framework for protection of medical data. Besides that, we want to 
educate enormous community that is using OpenMRS in topics of confidentiality, privacy and 
security of data. 


We don’t want to do this security overhaul only for OpenMRS - framework of data protection we 
want to work out in this project, along with some of the educational materials, could be used by 
various projects, especially focused on health issues. 


What are hoped for goals or longer term effects of the project? 

Content limited to 2000 characters 

We want to know how you think the world could be, what larger purpose this project is a part of, 
and/or the bigger target you aiming for. Bulleted lists are good. 


e Assuring health care providers in developing countries using the medical data 
system that the safety of confidentiality between them and the patients is proven 

e Capacity building around the importance of data security and privacy for 
developers, implementers, and communities. Webinars and e-learning courses 
would help thousands of medical sites learn the role and value of protecting 
electronic medical records of their patients. 

e Increasing trust in the healthcare workers and the digital system that they are 
using for the patients. 

e Protecting medical records that include data that can be misused (for example, 
by oppressive governments), such as HIV status, gender preference or 
medication history 

e Enabling OpenMRS to be used in additional countries by updating the system to 
be compatible with data protection laws, such as GDPR and HIPAA. This would 
ensure that hundreds of new patients would have the ability to digitize their 
medical records, enabling better quality of healthcare for them 

e Providing security and privacy framework to similar open-source projects, 
especially centered around medical issues. This specific type of software needs a 
tailor-made solutions, that is answering the issues related to them. 


Focus: 


Access to the Internet 
Awareness of access 
Privacy enhancement 
Security from danger or threat online 
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Status: 


1 Just an Idea (Pre-alpha) 

11 It Exists! (Alpha/Beta) 

LI It's basically done. (Release) 
y People Use It. (Production) 


Technology attributes: 
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Browser extension 

Browser plugin 

Unmanaged language 

User interface/experience 
Anonymity 

Application deployment 

Web application 

Server daemon 

Web API/Mobile application (serverside) 
Mobile application (clientside) 
Cryptography 

Desktop client 

Desktop App 

Dependency integration 
Software as a Service (SaaS) 
Platform as a service (PaaS) 
Infrastructure as a service (laaS) 
Sensitive data 

Networking 

Wireless Communication 
Hardware/Embedded device(s) 
Reverse Engineering 

Other 

Not applicable 


How will you do it? 


Describe how: 


Content limited to 2000 characters 


Briefly and clearly list key milestones, objectives, and/or activities briefly. These should be 
specific, measurable, attainable, realistic, and time-relatable. Bulleted lists are ideal. 
e Milestone 1: Analyze current state and adjust further work plan [estimated effort: 50 
man-days (MD)}] 


O 


[40 MD] Conduct an overarching review of current/past community based posts 
and reports about security, privacy and confidentiality concerns to identify any 
potential areas that have not been identified yet 

[10 MD] Identify community members/organizations that are willing/able to assist 
in the review, development of mitigation plans, and implementation of mitigation 
processes and code 


e Milestone 2: Implement previously identified fixes/improvements [210 MD] 


O 
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[10 MD] Implement a password expiration, blacklist and password quality policy 
[10 MD] Implement session timeouts and account locking with repeated login 
failures 
[30 MD] Create generic, secure, configurable and extensible auditing system 
[20 MD] Enhance administrative responsibilities to support divisions across 
multiple administrators 
[20 MD] Encrypt and/or secure the most important database tables 
[20 MD] Implement encrypted data exports 
[20 MD] Implement extra security at the controller level for the WebApp 
[20 MD] Enforce installation rules to secure OpenMRS binaries 
[40 MD] Secure AJAX DWR in WebApp to fix possible JavaScript vulnerabilities 
[20 MD] Fix various security vulnerabilities, such as: 

= Multiple cross-site scripting 

= Across-site request-forgery 

m An access-bypass 


e Milestone 3: Produce high-quality guidance materials and educate community in 
privacy/security/confidentiality topics [170 MD] 


Objective(s 


O 


)* 
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[50 MD] Develop with the community generic privacy, security and confidentiality 
guidance materials that can be publicly published with the goal of increasing 
capacity at the local and national levels around these topics. 

[20 MD] Create an extensive security guidance in the implementers 
documentation and make sure that the community will be well educated in this 
topic 

[100 MD] Prepare and conduct privacy and security trainings in form of webinars 
and e-learning courses for healthcare providers that are using OpenMRS 


Research 

Technology development 
-Deploying technology 

-Software or hardware development 
-Testing 


y Training 
How long will it take: 
12 months 
How much do you want: 


$150,000 


Who is the project for? 


Describe them: 

Content limited to 2000 characters 

In other words, who are the people benefiting or affected most by this effort and how well do you 
know them? 


e OpenMRsS system works in over 3.000 medical sites for about 8.7 millions 
patients all over the world. 

e OpenMRS was created as a response to the challenges presented by pandemics 
of epic proportions, as over 40 million people are infected with diseases such as 
HIV/AIDS, multi-drug resistant tuberculosis or malaria. Ultimately, our goal is to 
ensure adequate and appropriate protection to the patients, communities, and 
healthcare workers that document medical care using OpenMRS. 

e OpenMRsS initially developed to provide documentation and improvement of care 
for patients with HIV/AIDS. Currently, OpenMRS is used in multiple care settings, 
and collects information that is sensitive as it includes PII as well as PHI. 
Ensuring appropriate security and protection to the patients, communities, and 
health care providers is a critical component to use of the software. 

e The OpenMRS software, is implemented in over 64 countries, such as South 
Africa, Rwanda, Lesotho, Zimbabwe, Tanzania, Haiti, India, China, United States, 
Pakistan, the Philippines and many other places. You can see them all on this 
site: 

o  https://atlas.openmrs.org 

e Uganda, Kenya and Mozambique Ministries of Health have adopted OpenMRS 
as their national electronic medical record (EMR). 

e Some of the places that use OpenMRS are on the list of not-free and partially 
free countries created by Freedom House. That is why it’s especially important to 
guarantee the safety of the patients data in this regions: 

o https://freedomhouse.org/report/freedom-world/freedom-world-2018 

e The annual report for specific details about our users, as well our developer 

community. 


o  https://openmrs.org/wp-content/uploads/2018/03/2017-OpenMRS-Annual- 
Report.pdf 
e This projects is also for others developers of medical software. They could use 


our framework to implement security and privacy solutions in their own projects 


What community currently exists around this project? 

Content limited to 2000 characters 

Define the community as you see it. If your answer is none, please explain how you plan to 
cultivate community around the proposed effort, including mechanisms to receive feedback and 
get others involved. 


e The OpenMRS community is a large international community that is over a 
decade old, and has regular and consistent developer and implementer 
participation. 

e Our hub for community, discussion forum OpenTalk, had in 2017: 

o 29,986 total visits 
o 2,816 topics created 
o 20,323 posts written 

e 209 developers from around the globe made 4,250 commits to 112 code 
repositories in the OpenMRS GitHub organization in 2017 

e Our annual Implementers’ Conference was held in Lilongwe, Malawi. A total of 
175 members from 20 countries attended to learn more about how Malawi plans 
to achieve a nationwide implementation of OpenMRS, as well as share their 
knowledge, experience, and challenges to fellow developers and implementers. 

e Here are some of the organizations that are supporting OpenMRS in various 
ways: 

AMPATH 

Centers for Disease Control, U.S. 

Fogarty International Center, NIH 

Google 

Harvard Medical School 

International Development Research Centre 

Jembi Health Systems 

Medical Research Council, South Africa 

Millennium Villages Project 

Partners In Health 

Regenstrief Institute 

Rockefeller Foundation 

SalesForce 

SolDevelo 

ThoughtWorks 

University of California San Francisco 
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o University of Washington 
o World Health Organization 
o and many others 


Beneficiaries: 

General public 
Women 

Youth 

Sexual minorities 
Ethnic minorities 
Activists 
Journalists 
Advocacy groups/NGOs 
Academia 
Technologists 
Entrepreneurs 
Government 
Other 
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Region: 

Global 

North Africa and Middle east 
East Africa 

West Africa 

South Africa 

North Asia and Russia 
Central Asia 

East Asia 

South Asia 
South-East Asia 
Eastern Europe 
Central America 
Caribbean 

Andean 

Southern cone 
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Why is this project needed? 


Describe why: 
Content limited to 2000 characters 


Describe one or more of the following: the specific needs of the group(s) being met, how it 
uniquely solves a known issue or improve upon existing solutions, and/or what knowledge, 
research, technology, or community gap the proposed effort is intending to fill. If the effort 
targets a specific group of people, note any research or analysis you have done to ensure the 
effort serves the target population. 


The OpenMRS developer and implementer community are well aware of ongoing 
privacy and security issues, but we have had limited resources (fiscal, as well as 
human) to address these concerns. The recent implementation of GDPR has 
highlighted the importance of ensuring appropriate privacy and security within our 
software, as well as the need to generate potential guidance to end users about 
security and confidentiality 

Health care provides from developing countries deserve the best protection of 
their medical data, that is possible. The confidentiality between them and the 
patients is a one of a key principles of healthcare since the Hippocratic Oath. In 
the new digital age, we have to be sure, that this values are still intact. This is not 
problem only for the developing countries (The National Health Service of Great 
Britain had leaks of information from their medical records about 2 years ago), 
but it’s especially important for them: people with certain diseases (like HIV) can 
be discriminated and persecuted because of them. That is why this project is so 
needed. 

Electronic health records improve quality of care, reduce cost, enhance patient 
mobility, are more reliable, and enable evidence-based medicine. Allowing 
OpenMRS to be available in more countries, by being compatible with laws such 
as GDPR and HIPAA, will bring better healthcare to even more patients. 


Addressed problems: 


m) 


m) 





Restrictive Internet filtering by technical methods (IP blocking, DNS filtering, TCP 
RST, DPI, etc.) 

Blocking, filtering, or modification of political, social, and/or religious content 
(including apps) 

Technical attacks against government critics, journalists, and/or human rights 
organizations (Cyberattacks) 

Localized or nationwide communications shut down or throttling (Blackouts) 
Physical intimidation, arrest, violence (including device seizure or destruction), 
and death for political or social reasons 

Pro-government manipulation of online discussions (propaganda, imitation 
content, and/or sockpuppets) 

Repressive surveillance or monitoring of communication 

Policies, laws, or directives that increase surveillance, censorship, and 
punishment 


{1 Government practices that hold intermediaries (social networks or ISPs) liable for 
user content 

LI Prohibitive cost to access the Internet 

y Other 


Similar/Complementary efforts 

List other similar efforts to this proposed project. OTF expects this to include a review of any 
available technologies or programs that are similar to the project described. This not only allows 
OTF to understand how your project can be distinguished from those already active but also an 
applicant’s understanding of the current landscape for such an undertaking. 


e Journal of Medical Systems have published an article about Security Techniques 
for the Electronic Health Records, which is presenting the review of similar efforts 
by various medical records systems around the world. The researchers from 
Journal collected 25 relevant research articles through three separate database 
queries. Our security solutions are inspired by this article, but we have to adjust 
and transform them for specific needs of medical sites of developing countries. 
We have to be sure that our new privacy and security features won't increase the 
costs of implementation of OpenMRS. 

o https://www.ncbi.nim.nih.gov/pmc/articles/PMC552251 4/ 


Other information: 
Content limited to 2000 characters 
Provide a way for us to follow-up with you, a website, and/or twitter feed. 


e tobe completed/not needed 


Provide a way for us to follow-up with you, a website, and/or twitter feed. 


e httos://openmrs.org 
e https://twitter.com/openmrs 


